What is DNSSEC technology, how does it work, what security problems it solves and what it does not solve, what are its advantages and disadvantages. And is DNSSEC really as perfect as some present it?
DNS Security
The DNS protocol, like all other protocols in the TCP/IP family, was designed in the early days of the Internet to be very simple and fast. Almost no security was included in these protocols because it was not needed at the time. The Internet was used by a small circle of people who knew and trusted each other. Simplicity, speed and efficiency on the then significantly slower lines and less powerful computers were essential. That’s what these protocols carry with them to this day, however, when the global network is full of people trying to do harm, whether it’s for personal, financial, political or other reasons.
In practice, this means that, for example, there are ways for an attacker to spoof an IP address when asked to translate a domain name, thereby directing the victim to a fraudulent server. Thus, even though the URL is entered correctly in the browser, the user finds himself on a foreign site. This is the basis for successful phishing. However, this is just one of many examples of how unsecured DNS can be exploited.
Different variants of DNS spoofing are called DNS spoofing and DNS cache poisoning.
The crux of the problem is that when you get some sort of IP address from the DNS server based on your domain name request, you have no way of verifying that it is indeed correct and that someone hasn’t changed something on the way to you.
What is DNSSEC
DNSSEC is a technology that uses electronic signatures to verify the origin of data in DNS records. This means that the user is able to verify the authenticity of the data retrieved from the DNS system and thus possibly detect a spoof.
DNSSEC does not encrypt the data being transferred – the data is still transferred in the same insecure way, but asymmetric cryptography is used to create electronic signatures for DNS records. These signatures and related data are again stored as DNS records. DNSSEC introduces several new types of records for these needs. Some contain an electronic signature of existing records, others carry information to verify the existence of records that are not in the domain zone.
DNSSEC is an extension to the existing DNS system, not a replacement. Everything works as before, but there are a few new types of records. It is up to the client whether or not they understand the new types of records, whether or not they use them and whether or not they perform the verification. A client that does not know DNSSEC accepts the requested records, ignores new record types, and does not perform any checking. However, the more modern client uses the new records to verify the others and only accepts the data retrieved from the server if all the electronic signatures match. This implies that it is not enough for DNSSEC to be controlled by DNS servers, but that clients must also actively participate. Thus, for the entire DNS system to be completely immune to the attacks that DNSSEC can prevent, all DNS servers and clients must understand and use DNSSEC. Of course, caching DNS servers must also store and forward the relevant DNSSEC records.
It is still necessary to clarify what is meant here by “client”. Checking the DNS records you retrieve can be done at several levels. Checking of records and their signatures can be done directly by the end computer. However, this can also be done by the organization’s caching DNS server, which is trusted by computers within the corporate network, which receives DNS records from the server and no longer checks them, so they are not burdened with signature verification. Similarly, the ISP’s caching DNS server can do the same thing, preventing untrusted data from being passed to its customers’ computers.
What DNSSEC solves
- verification of the origin of the DNS records obtained (by checking the electronic signature)
- obtaining proof of the non-existence of a domain name or any record of it
What DNSSEC does not address
- attacks on the client’s DNS system, i.e. spoofing of data on the client computer (applications above the operating system no longer work with DNSSEC)
- Secure DNS transfer paths – everything still travels openly and publicly, DNS queries can be eavesdropped on (and it is possible to find out what a client is interested in and where it is “surfing”)
- restricting access to domain records, client authentication
- attacks on DNS servers to shut them down, a suitable DDoS attack will cut off the relevant authoritative DNS server from the world and no one will be able to access the domain records at that time
- fraudulent redirection or similar attack at the IP address level – while you can safely learn the correct IP address you need to connect to from the DNS system, DNSSEC will not prevent you from being redirected elsewhere in subsequent communication with the man-in-the-middle target
But there are also some buts…
Beware of the campaigns of some institutions that convince the whole world that DNSSEC is the perfect technology that we cannot live without, and that without it the Earth will stop revolving around the Sun (sometimes we actually feel that way). There is no perfect technology, and even DNSSEC brings with it many complications and problems.
- The introduction of DNSSEC means the addition of many more voluminous DNS records. The size of the domain zone file increases several times (about 4 times). This means more storage space requirements and more data transfers.
- Higher demands on computing power – DNS servers and clients must also work with electronic signatures (create them, verify their validity). This will require a significant increase in CPU load. And some DNS server operators are making no secret of the fact that they will have to buy newer hardware because of this.
- Greater susceptibility to failure – Implementing DNSSEC on a DNS server requires greater expertise from the administrators and programmers who must implement and manage the technology. A simple human error (forgetting to change keys, a program error) can easily invalidate electronic signatures, so even though the DNS records are fine and no one has spoofed them, they will be considered invalid and thus the domain will not work.
- More complex problem diagnosis – the more complex the technology, the more complicated the search for the root cause of problems
So it may well be that the introduction of DNSSEC will cause more problems and domain unavailability than the number of problems that would be caused by attackers not using this technology.
Alternatives to DNSSEC
You should also be wary of the claim that DNSSEC is the only technology that can protect against DNS spoofing. It’s not true. For example, SSL (Secure Socket Layer) has been around for a very long time and can do the same thing, including protection against redirecting communication to a foreign server (because only the right server is able to prove itself with the appropriate private key). And as a bonus, it encrypts all communication between the end client and the server so that nothing can be eavesdropped on. For example, HTTPS – secure communication over HTTP protocol.
On the other hand, it is true that SSL cannot provide proof that a domain or DNS record does not exist. Only DNSSEC can do that.
We and DNSSEC
We are now offering DNSSEC technology in test operation for .CZ domains. In time, we will offer it for others. However, we will not impose it on customers. Anyone interested in activating it has the option. We’re not going to automatically turn it on for all of our customers’ domains, at least for now. It is necessary to let this technology mature a bit and to catch any shortcomings.
It must be said that for end-users and our customers, nothing changes with DNSSEC. We take care of everything, customers don’t have to do anything extra or understand the technology in detail. For them, everything is transparent.
We will add more detailed technical information about DNSSEC to our knowledge base over time.